Authored By: Marty Solomon
Introduction
This document provides advice for users responsible for ensuring the ongoing security of their Pega applications. It focuses on the security administration events that are written to the security events log whenever an event occurs that concerns changes to the security model configuration, such as access groups, roles, and access control policies. It provides guidance for how to interpret the log's contents. For more information, see Security events log.
Note: Events marked with an asterisk (*) are always enabled.
Security Administration Events
Fields common to all events
The following table lists the fields and their values that are the same for all security administration events.
| Field Name | Value/Description |
| eventCategory | "Security administration event" |
| ipAddress | IP address where the request originated |
| nodeID | Node ID on which the request was processed |
| operatorID | Operator ID issuing the request |
| timestamp | Date & time of the request |
| appName | Name of application |
Advice
The advice is mostly the same for all security administration events. You should monitor these events daily. In a production system, these events should rarely occur. You must evaluate each occurrence to determine if the change was authorized. If not, reverse the modification that was made and block access to the user/IP address from which the request was made. The exception is the event that represents disabling or enabling operators. These can be expected events; however, they should be examined closely to determine their validity.
Because many of these events reflect changes to instances controlled by rule checkout or check-in, a single user operation may generate multiple events. For example, performing a check-in may generate import, update, and delete events.
Every invocation of access manager
Event message fields
| Field Name | Value/Description |
| eventType | "Access manager invoked" |
Example
{"appName":"Company","eventCategory":"Security administration event","eventType":"Access manager invoked","id":"21052b73-0cee-43e6-94f2-f033801d8950","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 19:38:06:995"}
Every BIX form change and execution
The system generates BIX events when BIX configuration settings are modified and when BIX extraction occurs.
Event message fields
| Field Name | Value/Description |
| eventType | “BIX extract rule changed”
“BIX extract rule executed” |
| operation | “update”, “delete” |
| outputDirectory | BIX configuration setting |
| outputFormat | BIX configuration setting |
| ruleID | Full ID of the BIX extract |
| ruleName | Name of the BIX extract |
| className | Class name of the instance in the BIX extract |
Example
{"appName":"Company","eventCategory":"Security administration event","eventType":"BIX extract rule changed","id":"7ea3cd72-33ed-4d70-841e-06ab2c8550d6","ipAddress":"10.2.204.143","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","outputDirectory":"C:\\","outputFormat":"CSV","requestorIdentity":"20211103T153639","ruleID":"RULE-ADMIN-EXTRACT PEGASAMPLE SAMPLE #20211105T204433.817 GMT","ruleName":"Sample","tenantID":"shared","timeStamp":"Fri 2021 Nov 05, 20:44:34:570"}
Every change to ABAC security policies
Fields
| Field Name | Value/Description |
| eventType | "Access control policy [condition] changed" |
| operation | “update”, “import”, “delete” |
| policy[Condition]ID | Full ID of the access control policy [condition] |
| policy[Condition]Name | Name of the access control policy [condition] |
Example 1
{"appName":"Company","eventCategory":"Security administration event","eventType":"Access control policy changed","id":"1a142555-5f23-40e3-a1c6-cdee51c09287","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","policyID":"RULE-ACCESS-POLICY DATA-ADMIN-OPERATOR-ID UPDATE!OPERATORUPDATECONTROL #20211102T200941.293 GMT","policyName":"Operator update control","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 20:09:54:686"}
Example 2
{"appName":"Company","eventCategory":"Security administration event","eventType":"Access control policy condition changed","id":"0b71e0c5-aa58-4fd9-9b99-a6602e1c91c7","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"delete","operatorID":"Companyauthor","policyConditionID":"RULE-ACCESS-POLICYCONDITION OG1ZAA-COMPANY-WORK-SURVEY CANVIEWSURVEY #20211102T203822.621 GMT","policyConditionName":"CanViewSurvey","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 20:38:48:325"}
Every change to CBAC security policies
Fields
| Field Name | Value/Description |
| eventType | “CBAC policy changed” |
| operaton | “update”, “import”, “delete” |
| policyID | Full ID of the client based access control policy |
| policyName | Name of the client based access control policy |
| eventType | “Done from client registration rule form” |
| Message | “client secret regenerated successfully” |
| outcome | “status created” |
Example
{"appName":"Company","eventCategory":"Security administration event","eventType":"CBAC policy changed","id":"98bb35db-d432-47fd-ab76-49e8af6ae69d","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","policyID":"RULE-ACCESS-CLIENTDATA OG1ZAA-COMPANY-WORK-SURVEY SURVEYDATA #20211102T204838.720 GMT","policyName":"survey data","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 20:48:57:015"}
Every change to dynamic system setting
Fields
| Field Name | Value/Description |
| eventType | “Dynamic system setting changed” |
| operation | “update”, “delete” |
| settingID | Full ID of the dynamic system setting |
| settingName | Name of the dynamic system setting |
| settingValue | The value of the dynamic system setting |
Example
{"appName":"Company","eventCategory":"Security administration event","eventType":"Dynamic system setting changed","id":"c4541722-ece5-4bdd-b2af-f9db15699b80","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","settingID":"DATA-ADMIN-SYSTEM-SETTINGS PEGA-ENGINE!PRCONFIG/DNODE/CASSANDRA_VERSION/DEFAULT","settingName":"Pega-Engine-prconfig/dnode/cassandra_version/default","settingValue":"3.11.3","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 20:59:01:853"}
Every change to content security policy (CSP)
Advice
The system often logs multiple events whenever a CSP is modified. In addition, the delete operation can occur when a checked out instance is discarded or when the instance that is not checked out is deleted. A check-in operation may generate three events: update, import, and delete.
Fields
| Field Name | Value/Description |
| eventType | "Content security policy changed" |
| operation | “update”, “import”, “delete” |
| policyHeader | Full content of the CSP in HTTP header form |
| policyID | Instance ID of the CSP |
| policyName | Name of the CSP |
Example
{"appName":"Company","eventCategory":"Security administration event","eventType":"Content security policy changed","id":"4edb5f21-a059-4a46-b955-4252eb8347c9","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","policyHeader":"base-uri *; form-action *; frame-ancestors *; font-src *; frame-src * data: mailto: tel: blob: filesystem: mediastream:; img-src data: blob: filesystem: mediastream: \u0027self\u0027 cid: cid *; media-src * data: blob: filesystem: mediastream:; object-src * data: blob: filesystem: mediastream:; script-src * \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027 data: blob: filesystem: mediastream:; style-src * \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027 data: blob: filesystem: mediastream:; default-src * data: blob: filesystem: mediastream:; child-src * data: blob: filesystem: mediastream:; ","policyID":"RULE-ACCESS-CSP COMPANY #20211102T195809.378 GMT","policyName":"Company","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 19:59:13:724"}
Every change to security authentication policies
These events represent changes to the various policy settings on the Security Policies landing page (Configure > System > Settings > Security Policies).
Fields
| Field Name | Value/Description |
| eventType | "Authentication policy changed" |
Example
{"appName":"Company","eventCategory":"Security administration event","eventType":"Authentication policy changed","id":"838ed584-0315-453d-846b-0b4b7e84d997","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 15:56:54:864"}
Every change to security event configuration
Fields
| Field Name | Value/Description |
| eventType | “security event configuration changed” |
| message | "security event configuration has been modified." |
Example
{"appName":"Company","eventCategory":"Security administration event","eventType":"security event configuration changed","id":"16b99386-901a-497d-87c2-786fd1961166","ipAddress":"10.2.203.48","message":"security event configuration has been modified.","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 19:30:00:366"}
Every change to RBAC security policies (including RADO and RARO)
Fields
| Field Name | Value/Description |
| eventType | “Role name changed”
"Access of role to object rule changed" “Deny rule changed” |
| Operation | “import”, “update”, “delete” |
| roleName | Name of the role |
| roleNameID | Full ID of the role |
| roleObjectID | Full ID of the RARO |
| roleObjectName | Name of the role |
| denyObjectID | Full ID of the RADO |
| denyObjectName | Description of the RADO |
Example 1 (Role)
{"appName":"Company","eventCategory":"Security administration event","eventType":"Role name changed","id":"c164e9fe-e1d0-4e00-819b-028f4d0ae7f7","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"import","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","roleName":"Company:NoAccess","roleNameID":"RULE-ACCESS-ROLE-NAME COMPANY:NOACCESS #20211103T182053.208 GMT","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 18:21:10:985"}
Example 2 (Rule-Access-Role-Obj)
{"appName":"Company","eventCategory":"Security administration event","eventType":"Access of role to object rule changed","id":"9d007168-e9ef-4ee4-9a16-39a5bd36e556","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","roleObjectID":"RULE-ACCESS-ROLE-OBJ COMPANY:NOACCESS @BASECLASS","roleObjectName":"Company:NoAccess","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 18:27:04:639"}
Example 3 (Rule-Access-Deny-Obj)
{"appName":"Company","denyObjectID":"RULE-ACCESS-DENY-OBJ COMPANY:USER @BASECLASS","denyObjectName":"just testing","eventCategory":"Security administration event","eventType":"Deny rule changed","id":"1268df12-62f6-4ef1-bb7d-4180822860c7","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 18:51:29:476"}
Every change to access group settings
Fields
| Field Name | Value/Description |
| accessGroupID | Full ID of the access group |
| accessGroupName | Name of the access group |
| eventType | “Access group changed” |
| operation | “update”, “delete” |
Example
{"accessGroupID":"DATA-ADMIN-OPERATOR-ACCESSGROUP COMPANY:AUTHORS","accessGroupName":"Author","appName":"Company","eventCategory":"Security administration event","eventType":"Access group changed","id":"b98ced14-1cae-41c0-80ca-30b6bd650b16","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 18:15:34:974"}
Every change to workbasket role settings
The system generates these events whenever a work queue instance is created, updated, or deleted.
Fields
| Field Name | Value/Description |
| eventType | “Workbasket has changed” |
| Operation | “update”, “delete” |
| workBasketID | Full ID of the work basket (work queue) |
| workBasketName | Name of the work basket (work queue) |
Example
{"appName":"Company","eventCategory":"Security administration event","eventType":"Workbasket has changed","id":"9191fd84-2b77-457a-bae7-79204b930b56","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 19:17:37:000","workBasketID":"DATA-ADMIN-WORKBASKET COMPANYHOME:USERS","workBasketName":"Users"}
Every change to Disable/Enable operator
Advice
The system logs this event whenever an operator is disabled (prevented from logging in) or enabled (allowed to log in). These situations may be expected. Monitor these events closely and determine if they are expected. If not, block the user/IP address from which the action was taken and correct the affected operator’s settings. These events are generated only through the User Management API. Disable or enable events via the operator rule form. Security policy settings do not generate these events.
Fields
| Field Name | Value/Description |
| UserList | List of operator IDs included in the request |
| disablementReason | “Security profile changed” |
| eventType | “DisableOperators”, “EnableOperators” |
| message | “User disablement requested with a list of users”
“User enablement requested with a list of users” |
| outcome | “Success” |
Example 1 (disable request)
{"UsersList":"\"user1\"","appName":"Company","disablementReason":"Security profile changed","eventCategory":"Security administration event","eventType":"DisableOperators","id":"04160808-32aa-4300-abd6-2ca051113e8c","ipAddress":"10.2.204.140","message":"User disablement requested with a list of users","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"Success","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 19:44:06:177"}
Example 2 (enable request)
{"UsersList":"\"CompanyGuest\"","appName":"Company","eventCategory":"Security administration event","eventType":"EnableOperators","id":"8ceb3eca-6311-480f-a270-8960dccc1ab2","ipAddress":"10.2.204.140","message":"User enablement requested with a list of users","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"Success","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 21:07:04:296"}
Every change to add/update/remove a servlet or filter
Fields
| Field Name | Value/Description |
| FilterName | Name of the filter configuration |
| eventType | “Filter configuration updated” |
| Operation | “filter updated”
“filter added” “filter removed” |
| ClassName | Name of the filter class |
Example 1 (filter updated)
{"FilterName":"IPFilter","appName":"Company","eventCategory":"Security administration event","eventType":"Filter configuration updated","id":"6fa8aff5-89f0-4ca1-95b0-97dabde8959c","ipAddress":"10.2.207.32","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"filter updated","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Fri 2021 Nov 05, 18:39:24:008"}
Example 2 (filter added)
{"ClassName":"net.jvmhost.test.IPFilter","FilterName":"filter2","appName":"Company","eventCategory":"Security administration event","eventType":"Filter configuration updated","id":"87b3e853-cbf8-48d3-8b95-d9fd7a7d01d2","ipAddress":"10.2.207.32","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"filter added","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Fri 2021 Nov 05, 18:43:25:692"}
Example 3 (filter removed)
{"ClassName":"net.jvmhost.test.IPFilter","FilterName":"filter2","appName":"Company","eventCategory":"Security administration event","eventType":"Filter configuration updated","id":"42e31022-1f50-4ade-ae8c-b2b67546798b","ipAddress":"10.2.207.32","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"filter removed","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Fri 2021 Nov 05, 18:46:04:158"}